[Novalug] encryption at rest on a virtual server for a virtual drive
The Doctor
drwho@virtadpt.net
Wed Sep 11 13:39:30 EDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/10/2013 11:18 PM, Stuart Gathman wrote:
> a. The key will remain readable in RAM for several minutes after
> pulling the power plug, so you would also need to password the
> BIOS - or else activate TCA to prevent booting anything that isn't
> signed.
The attacker would need physical access, would need to know which
physical server it is, and would need sufficient equipment in hand to
mount a coldboot attack. Mitigated by site security, locks, cages,
servers looking the same, armed guards, needing to tear open the
machine...
What's the threat model here? Personal box in the basement or at work?
> b. If I were a data thief, I would bring a UPS to keep the server
> running while I disconnected it (especially easy with dual power
Commercially available:
https://drwho.virtadpt.net/archive/2008/02/22/portable-power-for-search-and-seizure
> supplies). To defeat that, the server needs a watchdog process
> that checks for authenticated connectivity to another secure
> server, which is only available on the local LAN. The server wipes
> keys (and forcibly terminates virtual machines) if it loses that
> connectivity.
Could such a thing also be wired into a case opening detection switch?
- --
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/
PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/
END OF LINE
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIwqtIACgkQO9j/K4B7F8HYZQCgxOi4w4UF7+nSnXCerAzl2cUs
feIAoPhbnRuvdP81XZv3gouQJ+BFbaBi
=HTc+
-----END PGP SIGNATURE-----
More information about the Novalug
mailing list